Antivirus Software Can Be Hijacked to Compromise Windows Systems

Vulnerability allows to abuse option to restore files from quarantine and then deploy malware in sensitive location.

Despite Microsoft making Windows Defender a more advanced security product, third-party antivirus solutions are still considered by many must-have tools to block malware from compromising computers.

But as it turns out, installing antivirus protection can prove to be a double-edged sword, as a security vulnerability in such software can allow cybercriminals to abuse the restore from quarantine option and, in the end, infect a target machine.

Security research Florian Bogner discovered the vulnerability in the engine of several antivirus products, and as he explained in an in-depth analysis, it makes it possible for attackers to simply move a quarantined file infected with malware to a sensitive location on the local drives where it can generate more damage.

His demonstration came down to a phishing attack that was blocked by the antivirus software when the sample of malware was detected. With the file moved to quarantine, the vulnerability that he called AVGater allowed to obtain unprivileged access to content that has been flagged as infected.

Disable restoring files from quarantine

By hijacking Windows services like NTFS direction junctions and Dynamic Link Library Search Order, he was able to transfer an infected file from the quarantine to a sensitive location on the hard drive.

Bogner says several large antivirus vendors have been affected by the vulnerability, and some have already released patches, including Trend Micro, Emsisoft, Malwarebytes, Kaspersky, and ZoneAlarm. Others will follow soon, but no other specifics were provided as the companies are working on patches.

AVGater requires local access to the target system, which means that the vulnerability cannot be exploited remotely. A successful attack, however, can lead to an attacker gaining full control over the system, he warns.

It goes without saying that the best way for users to remain secure is to install the most recent versions of antivirus software, but Bogner also recommends IT admins to disable restoring from quarantine functionality until patches are deployed.